Cyber Resilience

CVE-2025-71260

HighPublic PoCRCE

Published: 19 March 2026

Published
19 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.3436 98.2th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2025-71260 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Bmc Footprints Itsm. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability (CWE-502) in the ASP.NET servlet's VIEWSTATE handling. The flaw permits authenticated attackers to supply crafted serialized objects via the VIEWSTATE parameter, resulting in arbitrary code execution that fully compromises the application. The issue carries a CVSS 4.0 score of 8.7 reflecting network attack vector, low complexity, and low privileges required.

An attacker with valid credentials can exploit the weakness to achieve remote code execution and take complete control of the affected ITSM instance. Because the vector requires authentication but no user interaction, the attack can be launched from any reachable network position once valid session credentials are obtained.

Official remediation is provided through the listed hotfixes for each affected release branch, including 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01, as detailed in BMC release notes and corroborated by VulnCheck and WatchTowr advisories.

EPSS for the CVE has risen from lower values to a peak of 0.3659 (current 0.3033), indicating emerging exploitation interest after disclosure that warrants renewed attention from defenders.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve…

more

remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization vulnerability in ASP.NET VIEWSTATE of network-accessible BMC FootPrints ITSM enables authenticated remote code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-71257Same product: Bmc Footprints Itsm
CVE-2025-71259Same product: Bmc Footprints Itsm
CVE-2025-71258Same product: Bmc Footprints Itsm
CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502

Affected Assets

bmc
footprints itsm
20.20.02 — 20.24.01.001

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the listed hotfixes that remediate the deserialization flaw in VIEWSTATE handling.

prevent

Mandates validation of input data, which would block crafted serialized objects supplied via the VIEWSTATE parameter.

preventdetect

Requires integrity verification of software and information, helping ensure only trusted code executes after deserialization.

References